Anti-virus programs for Android can usually end up bypassed using trivial means, researchers found.
DroidChameleon is a tool that can modify known malware apps in numerous ways to prevent anti-virus from detecting them, said researchers from Northwestern University and North Carolina State University.
Most of the ten scanners researchers tested mainly performed signature-based analyses. In some cases, simply changing the package name in the metadata was enough for virus scanners to consider the malware harmless. Several scanners could end up fooled by unpacking the malware and then creating new installation packages. In other cases, the researchers were successful after encrypting parts of the app or redirecting function calls.
Their conclusion is unambiguous: They could fools all ten anti-virus programs in one way or another. Many of the methods the researchers used have long been common practice with Windows malware, and some have even deployed Android malware in the past. Tested scanners included anti-virus programs from AVG, Dr. Web, ESET, ESTSoft, Kaspersky, Lookout, Symantec, Trend Micro, Webroot and Zoner.
However, the researchers were also able to provide some positive news: during the test period from February 2012 to February 2013, the candidates improved steadily.
While the scanners initially missed 45 percent of trivially modified malware samples in total, a year later, they only missed 16 percent; the researchers attribute this to the increased use of content-based matching.
The researchers’ findings are a further reason for users to not allow the installation of apps from untrusted sources, also called sideloading, in the first place.
The majority of malicious programs are in areas outside of the official Google Play download catalogue – in peer-to-peer exchanges, forums, and alternative app portals.